Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The documentation states that the parameters --cert-not-after and --cert-not-before of step ca token are only supported on SSH certificates. Those options would be very helpful for x509 certificates as well.

Question is, if the documentation on this is even correct, since it was raised in #1065 under (2) that the code might work for certificates other then ssh.

Why is this needed?

If you issue one time tokens to third party to enroll for a certificate, it would be desireable to be able to enforce a certificate runtime lower then the maximum allowed runtime. Since the redeeming of the token would not happen in a controlled environment, the restriction would best be baked into the token to be handled by the server. Thus allowing a provisioner to have a higher max for some tokens.